What is an Advanced Persistent Threat (APT)?

An advanced persistent threat (APT) refers to an attack that continues, secretively, using innovative hacking methods to access a system and stay inside for a long period of time. Typical attackers are cyber criminals, like the Iranian group APT34, the Russian organization APT28, and others. Although they can come from all over the world, some of the most notable attackers come from Iran, other areas of the Middle East, and North Korea.

Understanding what APT is also involves knowing their targets. APT attackers have been known to go after countries and the large organizations within, as well as large corporations, to exfiltrate information, gradually and systematically, over long stretches of time before withdrawing. The time spent within an organization’s IT system is known as “dwell time.” 

Many other types of cyberattackers have very short dwell times because they focus on getting in and out quickly. APT attackers have significantly longer dwell times, while they either chip away at accomplishing their objectives or wait for the right moment to get what they want. During the waiting period, they may study security systems and adjust their approach accordingly.

Often, these attackers focus on organizations or companies in the United States or other developed countries. Even though they may go after high-value targets, attackers often try to gain access to them using smaller companies or organizations that the targets use to do business. This may include companies along their supply lines or organizations they partner with to further their objectives.

APT attackers tend to hone in on gaining intelligence or other vital information to damage a larger system, exploit or make an organization look bad, or gain a competitive advantage.

While a traditional cyberattacker may use fairly simple, straightforward methods, such as deploying a Trojan or relatively simple malware, APT attackers use more advanced techniques. For example, they may:

1. Use elaborate espionage tactics involving multiple actors to penetrate an organization step by step. Getting behind the organization’s firewalls can take dozens of steps and happen over a series of several months or longer.
2. Gain access to a network through an easy entry point like its email system and then plant malware. The malware examines and evaluates the network, as well as its security system, in search of vulnerabilities. The malware can also act like an agent itself, waiting for a command that instructs it to launch a wave of malicious code.

APT threats are persistent in two ways:

1. They are determined to attain specific goals by attacking certain targets. This is different from random cyber threats that attack a wide range of organizations, hoping to stumble on one with a weak security system.
2. Once they gain entry, they remain for long periods of time while either waiting for an opportune moment or gradually extracting information.

Like all threats, APTs are dangerous because they have both the ability and intent to cause harm. They are:

1. Well-orchestrated operations powered by humans determined to obtain an objective. This makes the threat more tangible than those posed by random programs floating around the internet.
2. Well-funded because those employing the attackers place a high value on a successful attack or extraction of information.

APT attacks are performed systematically, according to progressive, interdependent steps.

To get inside the system, cyber criminals often use infected files, junk email, a vulnerable app, or a weak spot on the network.

Attackers plant malware that enables them to set up a network of tunnels and backdoors that allow them to navigate within the system without being detected. The malware can also help them cover their tracks by rewriting code.

After attackers get inside, they may compromise passwords to access administrator rights. They then use these to manipulate more aspects of the system and obtain greater access.

Once they are fully inside, attackers may try to move around to other areas of the network, such as servers and other devices. They may also expand the attack, gaining and then deepening access in connected areas.

While inside the system, attackers can closely examine how it works as well as where it is vulnerable. Once they have done this, it is easy to grab the information they need. They can then remain in the system until they achieve their goal—or stay inside without any plans of ever exiting.

To detect APT attacks and protect systems from them, an organization must implement a multipronged approach.

There are several options open to companies that wish to make their network safer from APT attacks.

Closely monitoring all inbound and outbound traffic can help prevent APT attackers from getting inside and installing the backdoors they need to gain deeper access. This can be done using a next-generation firewall (NGFW) deployed at the edge of the network. The firewall can examine all ingress and egress traffic, as well as employ filters to detect specific types of attacks.

Whitelisting involves designating a specific set of applications or domains as safe. Only traffic coming from the applications and domains on the list is allowed into the network.

Controlling who is allowed to access the network and how can be a powerful tool in preventing APT attacks. The first step is determining who needs access. Then you make sure each user goes through a multi-factor authentication (MFA) process before being allowed entry. Not only does this limit the number of potential attackers, but if the system is compromised, it is also easier to narrow down the source of the problem.

One of the most effective security tools against APT are NGFWs. These filter network traffic, only allowing approved data to go in and out of a system. Through carefully designed packet filtering, they can identify attacks, malware, and additional threats.

Another effective method of preventing attacks is a sandbox solution. When a sandbox protocol is implemented, a specific application is confined to an isolated environment. There, the suspicious object’s behavior is analyzed, while the other systems are protected from its malicious programming. If the suspicious application executes harmful code, only the sheltered, secluded sandbox would be affected.